I've previously had somebody from Microsoft reach out to me directly about their entries and had somebody from RedHat create an issue, but I don't think either actually took action.
I'll continue to try though and am evaluate ways that the site can actually help companies update their rules.
> I've actually had one company reach out to me after making it on the list and they made their password rules less dumb.
That’s a huge win!
My pet peeve is sites that block pasting, say, from a password manager (glaring at you, Costco signup page). Those sites don’t usually include “do not paste” in the listed requirements, so this doesn’t really work with your screenshot approach. Ideas?
I used to set this permanently, but discovered if you use facebook making status updates and comments become broken due to how fb seems to scan your input to apply styling.
But I often have to toggle it off temporarily to bypass the stupid copy/paste blocks.
I tried this, but this breaks some web apps where I need clipboardevents to work (e.g. Google Docs). There needs to be a more granular option for this somehow, possibly in a plugin.
Dunno about educating all those idiots, but for mitigating their idiocy I have a two-line AutoHotKey script (this is in Windows) called FakePaste mapped to ctrl-shift-alt-V. All it does is read from the clipboard and pretend to type those characters, one per 100ms if I recall correctly, or maybe I set it to 200ms. AHK can mimic keypresses at the system level, so it defeats whatever silly shit anyone tries to do in the browser. It's as if you were typing. If you're on Windows and willing to install AutoHotKey I can give you the script.
I've noticed a number of sites now are doing something that interferes with the password manager (Lastpass in this case). Common problems are either that autofill doesn't work (even explicitly clicking autofill does nothing), or they put a button in the username/password field that's exactly where Lastpass puts its button, so it's impossible to click.
I don't get it -- don't the sites want users to use more secure passwords? That should mean encourage password managers, unless they imagine I'm gonna remember a 32 character random unique password for every website?
I contacted my credit union about this and they responded their auditors required it for security compliance reasons. Thankfully after many months they "fixed" it by removing the restrictions... but made the login a multipage ordeal which still breaks my pw manager.
Just to add. I'm Not sure if it's just a policy thing, but when a windows rdp session locks, pasting the password is blocked. Manually typing the password becomes a pain.
I really hope anything that blocks pasting in forms has good reason, an not just psuedo security
Hi, this needs a checklist or ability to see severity of infractions because some of these edge cases are very dumb to elevate alongside the truly broken flows
Using a password manager. Most include functionality to re-generate/rotate a record's password in-place, and then copy the new one to the clipboard (or even directly into the web page).
I use 1Password and even though I agree that forced password rotation is dumb, this makes it painless.
I literally couldn't apply for an American Express card about 15 years ago because my (ISP) email address was too long. I wonder why they chose to restrict it rather than go with the standard email max length; they had to put effort in to pointlessly restrict new signups. Odd.
Back in '99 or so, there was a company called Halibut Stuff selling T-shirts at Defcon (and presumably other events) that included a free email redirect service with purchase of a shirt.
So I got a shirt that said "myself@iwenttodefcon7.andalligotwas.thislousyemailaddress.com"
Not too much later, I ended up working in software validation, and I broke so many login forms with that perfectly-valid address, I lost count.
Since then, Halibut Stuff dissolved and the forwarding service is long gone. If some HN reader wanted to set up a Mailinator-like service that generates absurd-yet-RFC-compliant email addresses for such testing, I think there might be a market.
Like anyone would actually use such a testing service.
Until a few years ago it was fairly commonplace for sites to reject my perfectly valid addresses just because they had more than one period (i.e., a subdomain) or in one case, ended in the .us TLD.
I remember when their max password length was 8 characters. It blew my mind that a (effectively) bank had such terrible requirements. At least they fixed that
The 8-character limit was probably because the web site was just a fancy front-end to some decades-old mainframe system. You'd be surprised the age of technology and software big banks rely on. They tend not to fuck with a working system, partly because their reputation and millions or billions of dollars are on the line, but also because no manager wants to be the reason for a critical outage.
I write code on my on a daily basis. Coda, Swift Playgrounds, or Coda as my ssh client into a linux server and then emacs on the server. As a lightweight LTE capable environment, it's pretty amazing. It entirely depends on what you code but for web application or iOS dev it's pretty damn capable.
I'll continue to try though and am evaluate ways that the site can actually help companies update their rules.